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Who  is  a  Malicious  Insider? 


Current  or  former  employee,  contractor,  or  other 
business  partner  who 

■  has  or  had  authorized  access  to  an  organization’s  network, 
system  or  data  and 

■  intentionally  exceeded  or  misused  that  access  in  a  manner 
that 

■  negatively  affected  the  confidentiality,  integrity,  or  availability 
of  the  organization’s  information  or  information  systems. 


Types  of  Insider  Crimes 


Insider  IT  sabotage 

An  insider’s  use  of  IT  to  direct  specific  harm  at  an  organization  or  an 
individual. 

Insider  theft  of  intellectual  property  (IP) 

An  insider’s  use  of  IT  to  steal  intellectual  property  from  the  organization.  This 
category  includes  industrial  espionage  involving  insiders. 

Insider  fraud 

An  insider’s  use  of  IT  for  the  unauthorized  modification,  addition,  or  deletion 
of  an  organization's  data  (not  programs  or  systems)  for  personal  gain,  or 
theft  of  information  which  leads  to  fraud  (identity  theft,  credit  card  fraud). 
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CERT’s  Insider  Threat  Case  Database 
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Critical  Infrastructure  Sectors 

US  Cases  by  Sectors  (top  6)  and  Type  of  Crime 


IT  and  Telecomm  Banking  and  Government  Public  Health  Commercial  Education  All  other  sectors 
Finance  Facilities 


■  Theft  IP 

■  Sabotage 

■  Fraud 
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CERT’s  Unique  Approach  to  the  Problem 
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CERT’s  Unique  Approach  to  the  Problem 
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CERT  Insider  Threat  Center  Objective 


Tech  indicators 


Opportunities  for  prevention,  detection,  and  response  for  an  insider  attack 
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Insider  Crime  Profiles 
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IT  Sabotage 
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TRUE  STORY: 

SCADA  systems  for  an  oil-exploration 
company  is  temporarily  disabled... 


A  contractor, ,  who’s  request  for  permanent 
employment  was  rejected,  planted  malicious 
code  following  termination 
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Insider  IT  Sabotage 


Who  did  it? 

•  Former  employees 

•  Male 

•  Highly  technical  positions 
•Age:  17-60 

How  did  they  attack? 

•  No  authorized  access 

•  Backdoor  accounts,  shared  accounts,  other  employees 
accounts,  insider’s  own  account 

•  Many  technically  sophisticated 

•  Remote  access  outside  normal  working  hours 
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Summary  of  Findings 


IT  Sabotage 

%  of  crimes  in 
case  database** 

35% 

Current  or  former 
employee? 

Former 

Type  of  position 

Technical  (e.g.  sys 
admins  or  DBAs) 

Gender 

Male 

**  Does  not  include  national  security  espionage 
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Summary  of  Findings 


IT  Sabotage 

Target 

Network,  systems,  or 
data 

Access  used 

Unauthorized 

When 

Outside  normal 
working  hours 

Where 

Remote  access 

Recruited  by 
outsiders 

None 

Collusion 

None 
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Fraud 
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TRUE  STORY: 

An  undercover  agent  who  claims  to  be  on  the  “No  Fly  list”  buys  a 
fake  drivers  license  from  a  ring  of  DMV  employees... 


The  7  person  identity  theft  ring  consisted  of  7  employees 
who  sold  more  than  200  fake  licenses  for  more  than  $1 
Million. 
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Fraud:  Theft  or  Modification 


Who  did  it? 

•  Current  employees 

•  “Low  level”  positions 

•  Gender:  fairly  equal  split 

•  Average  age:  33 

What  was  stolen/modified? 

•  Personally  Identifiable  Information  (Pll) 

•  Customer  Information  (Cl) 

•  Very  few  cases  involved  trade  secrets 

How  did  they  steal/modify  it? 

•  During  normal  working  hours 

•  Using  authorized  access 
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Summary  of  Findings 


Fraud 

%  of  crimes  in 
case  database** 

35% 

40% 

Current  or  former 
employee? 

Former 

Current 

Type  of  position 

Technical  (e.g.  sys 
admins  or  DBAs) 

Non-technical,  low- 
level  positions  with 
access  to 
confidential  or 
sensitive  information 
(e.g.  data  entry, 
customer  service) 

Gender 

Male 

Fairly  equally  split 
between  male  and 
female 

**  Does  not  include  national  security  espionage 
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Summary  of  Findings 


Fraud 

Target 

Network,  systems,  or 
data 

Pll  or  Customer 
Information 

Access  used 

Authorized 

When 

Outside  normal 
working  hours 

During  normal 
working  hours 

Where 

At  work 

Recruited  by 
outsiders 

None 

V2  recruited  for  theft; 
less  than  1/3 
recruited  for  mod 

Collusion 

None 

Mod:  almost  V2 
colluded  with 
another  insider 
Theft:  2/3  colluded 
with  outsiders 
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Theft  of  Intellectual 

Property 


SEI  Technologies  Forum 

Software  Engineering  Institute  Carnegie  Mellon  Twitter  #sEivirtuaiForum 

©  2011  Carnegie  Mellon  University 


TRUE  STORY: 

Research  scientist  downloads  38,000  documents  containing  his 
company’s  trade  secrets  before  going  to  work  for  a 
competitor... 


Information  was  valued  at 
$400  Million 
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Theft  of  Intellectual  Property 


Who  did  it? 

•  Current  employees 

•  Technical  or  sales  positions 

•  All  male 

•  Average  age:  37 

What  was  stolen? 

•  Intellectual  Property  (IP) 

•  Customer  Information  (Cl) 

How  did  they  steal  it? 

•  During  normal  working  hours 

•  Using  authorized  access 
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Dynamics  of  the  Crime 


Most  were  quick  theft  upon  resignation 

Stole  information  to 

•  Take  to  a  new  job 

•  Start  a  new  business 

•  Give  to  a  foreign  company  or  government  organization 

Collusion 

•  Collusion  with  at  least  one  insider  in  almost  1/2  of  cases 

•  Outsider  recruited  insider  in  less  than  1/4  of  cases 

•  Acted  alone  in  1/2  of  cases 
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Summary  of  Findings 


Theft  of 
Intellectual 
Property 

%  of  crimes  in 
case  database** 

35% 

40% 

18% 

Current  or  former 
employee? 

Former 

Current 

Current 

Type  of  position 

Technical  (e.g.  sys 
admins  or  DBAs) 

Non-technical,  low- 
level  positions  with 
access  to 
confidential  or 
sensitive  information 
(e.g.  data  entry, 
customer  service) 

Technical  (71%)  - 
scientists, 
programmers, 
engineers 

Sales  (29%) 

Gender 

Male 

Fairly  equally  split 
between  male  and 

Male 

**  Does  not  include  national  security  espionage 
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Summary  of  Findings 


Theft  of 
Intellectual 
Property 

Target 

Network,  systems,  or 
data 

Pll  or  Customer 
Information 

IP  (trade  secrets)  - 
71% 

Customer  Info  - 
33% 

Access  used 

Authorized 

When 

Outside  normal 
working  hours 

During  normal 
working  hours 

During  normal 
working  hours 

Where 

Remote  access 

At  work 

At  work 

Recruited  by 
outsiders 

None 

1/2  recruited  for  theft; 
less  than  1/3 
recruited  for  mod 

Less  than  1/4 

Collusion 

None 

Mod:  almost  V2 
colluded  with 
another  insider 
Theft:  2/3  colluded 

Almost  V2  colluded 
with  at  least  one 
insider;  V2  acted 
alone 
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Mitigation  Strategies 
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Our  Suggestion 


Targeted  Monitoring 


Real-time  Alerting 
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Common  Sense  Guide  to 
Prevention  and  Detection  of 
Insider  Threats 


http://www.cert.org/archive/pdf/CSG-V3.pdf 
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Summary  of  Best  Practices  in  CSG 


Consider  threats  from  insiders  and  business 
partners  in  enterprise-wide  risk 
assessments. 

Clearly  document  and  consistently  enforce 
policies  and  controls. 

Institute  periodic  security  awareness 
training  for  all  employees. 

Monitor  and  respond  to  suspicious  or 
disruptive  behavior,  beginning  with  the 
hiring  process. 

Anticipate  and  manage  negative  workplace 
issues. 

Track  and  secure  the  physical  environment. 

Implement  strict  password  and  account 
management  policies  and  practices. 

Enforce  separation  of  duties  and  least 
privilege. 


Consider  insider  threats  in  the  software 
development  life  cycle. 

Use  extra  caution  with  system 
administrators  and  technical  or  privileged 
users. 

Implement  system  change  controls. 

Log,  monitor,  and  audit  employee  online 
actions. 

Use  layered  defense  against  remote 
attacks. 

Deactivate  computer  access  following 
termination. 

Implement  secure  backup  and  recovery 
processes. 

Develop  an  insider  incident  response  plan. 
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Point  of  Contact 


Insider  Threat  Technical  Team  Lead 
Randall  F.  Trzeciak 
CERT  Program 

Software  Engineering  Institute 
Carnegie  Mellon  University 
4500  Fifth  Avenue 
Pittsburgh,  PA  15213-3890 
+1  412  268-7040  -  Phone 
rft@cert.org  -  Email 


http://www.cert.org/insider_threat/ 
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Notices 

©2011  Carnegie  Mellon  University 

Except  for  the  U.S.  government  purposes  described  below,  this  material  SHALL  NOT  be 
reproduced  or  used  in  any  other  manner  without  requesting  formal  permission  from  the  Software 
Engineering  Institute  at  permission@sei.cmu.edu. 


This  material  was  created  in  the  performance  of  Federal  Government  Contract  Number  FA8721-05- 
C-0003  with  Carnegie  Mellon  University  for  the  operation  of  the  Software  Engineering  Institute,  a 
federally  funded  research  and  development  center.  The  U.S.  government's  rights  to  use,  modify, 
reproduce,  release,  perform,  display,  or  disclose  this  material  are  restricted  by  the  Rights  in 
Technical  Data-Noncommercial  Items  clauses  (DFAR  252-227.7013  and  DFAR  252-227.7013 
Alternate  I)  contained  in  the  above  identified  contract.  Any  reproduction  of  this  material  or  portions 
thereof  marked  with  this  legend  must  also  reproduce  the  disclaimers  contained  on  this  slide. 


Although  the  rights  granted  by  contract  do  not  require  course  attendance  to  use  this  material  for 
U.S.  government  purposes,  the  SEI  recommends  attendance  to  ensure  proper  understanding. 


THE  MATERIAL  IS  PROVIDED  ON  AN  “AS  IS”  BASIS,  AND  CARNEGIE  MELLON  DISCLAIMS 
ANY  AND  ALL  WARRANTIES,  IMPLIED  OR  OTHERWISE  (INCLUDING,  BUT  NOT  LIMITED  TO, 
WARRANTY  OF  FITNESS  FOR  A  PARTICULAR  PURPOSE,  RESULTS  OBTAINED  FROM  USE 
OF  THE  MATERIAL,  MERCHANTABILITY,  AND/OR  NON-INFRINGEMENT). 


CERT  ®  is  a  registered  mark  owned  by  Carnegie  Mellon  University. 
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Return  to  SEI  Home 


Software  Engineering  Institute 


( Carnegie  Mel  Ion 


SEI  Training 

Merging  software  engineenng  research  and  real-world  problems 


We  offer  a  diverse  range  of  learning  products — including 
classroom  training,  eLearning,  certification,  and  more — to 
serve  the  needs  of  customers  and  partners  worldwide. 
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